Final Omnibus Rule modifies HIPAA Privacy, Security and Enforcement Rules

On January 25, 2013, the Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules was published in the Federal Register. Among other things, the omnibus Final Rule revised the existing rule on breach notification for unsecured protected health information under the HITECH Act. The rule added language to the definition of a breach to identify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or Business Associate demonstrates that there is a low probability that the protected health information has been compromised. The rule also removed the harm standard and modified the risk assessment in order to focus objectively on the risk that the protected heath information has been compromised. The more objective factors that must be considered when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary are also identified in the Final Rule. The factors that must be considered as part of the risk assessment are: “(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.” Depending on the circumstances, other factors may also be considered as part of the risk assessment. 78 Fed. Reg. 5566 (January 25, 2013).